This is the Trace Id: 10fb9e7b8ff1bebdf7ed24ef16336079
Skip to main content
MSRC

From points to payouts: The evolution of the Microsoft security researcher leaderboard

MSRC
/ By Tom Gallagher, VP Engineering, Microsoft Security Response Center /

The global security research community plays a critical role in helping Microsoft protect customers. Through their deep technical expertise, coordinated disclosure, and collaboration, researchers help identify and remediate vulnerabilities, and shape how our security programs evolve. Many of the improvements we make, including how we recognize and reward impact, are the direct result of this partnership. 

Today, I’m excited to share an important evolution in how we recognize this partnership. Starting July this year, our Most Valuable Researchers will be ranked by bounty award payout. Alongside the MVR leaderboard, we’ll introduce an honorable mentions list recognizing all researchers who submit valid vulnerability reports during the year, independent of ranking. 

Historically, we recognized impactful research through two parallel systems: bounty awards and points. Bounty awards were available for select products and services, while the points model ensured that all valuable submissions were recognized and incentivized. 

In December, Microsoft publicly announced an in-scope by default approach for eligible vulnerability submissions, expanding bounty coverage across more products and scenarios. With bounty awards now serving as the primary and consistent signal of security impact, we can simplify how impact is measured. Researcher rankings will now be based directly on bounty award amounts, standardizing recognition, reducing complexity, and making it easier for researchers to understand how impact is measured and how to succeed. 

We’re announcing this update now to give researchers clear visibility into how recognition will be measured for the annual Most Valuable Researcher (MVR) leaderboard announced in mid-July. 

What this change means for security researchers

This update changes how impact is measured for recognition. Starting with the July 2026 MVR leaderboard, rankings will be based on bounty award amounts, providing a more consistent signal that aligns recognition with vulnerability severity and real security outcomes, while reducing divergence between monetary and non‑monetary incentives.

What isn’t changing is our commitment to recognizing meaningful contributions. Past MVRs and leaderboard recipients should continue to take pride in their achievements. The previous model was effective for its time and enabled recognition across a wide range of products and scenarios. This evolution builds on that foundation rather than replacing it.

To support a smooth transition, Microsoft will complete the upcoming quarterly leaderboards using the existing points‑based model through the end of June 2026. The move to bounty‑award rankings will begin with the annual MVR leaderboard in July, ahead of Black Hat, giving researchers advance notice and time to adjust.

Going forward, recognition will include: 

  • Public bounty-based leaderboards released twice yearly, with the annual MVR ranking published in July, and a mid-year leaderboard released in January that reflects researcher rankings based on bounty award amounts, separate from the annual MVR ranking.

  • An honorable mentions list recognizing every researcher who submits a valid vulnerability report during the year, ensuring all meaningful contributions are acknowledged regardless of rank.

  • Bounty‑based technical leaderboards for select bounty programs, highlighting the top 10 researchers within individual bounty programs, rather than an overall ranking, and showcasing expertise and impact within specific areas. These program-level leaderboards will be published alongside our January and July leaderboard updates.

  • Deeper engagement opportunities, with leaderboards helping surface researchers for invitations to events and programs such as Zero Day Quest 

As Microsoft’s bounty programs continue to expand, it’s increasingly important that recognition models remain accurate, transparent, and aligned with security outcomes. Using bounty award amounts provides a clearer signal of impact and a more predictable, understandable path to recognition.

To every researcher who contributes their expertise, time, and creativity to securing Microsoft’s products: thank you. Your work makes a real difference, and we’re proud to celebrate the impact you drive every day.

Tom Gallagher, VP of Engineering, MSRC